Getting Started with Hetzner Dedicated

Usually used for a beefy building machine or CI, Hetzner offers the best price/performance.

Since these machines are bare metal, setting them up comes up with a cost - no more!

This setup uses a single command to bootstrap a machine and was tested using AX51-NVMe, but any machine with two SSDs should work.

Please contact domen@cachix.org if you're having a different machine configuration or need support.

It will set up a machine using raid1 and ext4 for the root filesystem.

Rebooting the machine into rescue mode

1. Login to Hetzner Robot
2. Make sure to put your SSH key into https://robot.hetzner.com/key/index
3. Select the server you'd like to deploy
4. Click Rescue -> Make sure you have linux selected and your SSH key -> Click Activate
5. Click Reset -> Select Execute an automatic hardware reset -> Click Send

Setting up Cachix

1. Open Cachix
2. If you're part of a team, click Select an account and click Create an organization.
3. Click Caches in the top of the menu and create a new binary cache.
4. Open Cachix Deploy
5. Select the account/organization in the menu
6. Create a new workspace by selecting the previously created binary cache.
7. Click "Add an agent"
8. Pick a description and generate a token
9. Save the token as CACHIX_AGENT_TOKEN=xxx to cachix-agent.token

Bootstrapping the machine

Clone this repo and make sure to set sshPubKey in flake.nix with your public SSH key.

From the email you received when the Hetzner machine was processed, take IP and replace it in yourip:

$ nix develop -c bootstrap-hetzner yourip myagent ./cachix-agent.token

Once the script finishes, your machine should come up in a few minutes and show up in your Cachix Deploy workspace.

In case anything goes wrong, you can order a remote console via the Support tab in Hetzner Robot.

Using Actions for CD

Your machine is running a plain NixOS configuration.

To deploy any changes from main branch you'll need to configure a few things in .github/workflows/deploy.yml:

• myagent: if you picked a different agent/hostname, change it here
• CACHE_NAME: change mycustomcache into the name of the cache you created.
• CACHIX_AUTH_TOKEN: in Cachix, find your cache via settings and create a write auth token. Go to your git repository, click Settings, click Secrets, click Actions and add it as a repository setting.
• CACHIX_ACTIVATE_TOKEN in Cachix Deploy, click on your newly created workspace and click "Start a deployment" to generate an token. Go to your git repository, click Settings, click Secrets, click Actions and add it as a repository setting.

Setting up self-hosted GitHub runners

Assuming your github organization is called myorg, here's the NixOS configuration:

nix.trustedUsers = [ "root" "github-runner-myorg" ];

systemd.services.github-runner-myorg.serviceConfig.ReadWritePaths = [ "/nix/var/nix/profiles/per-user/" ];

services.github-runners.myorg = {
    enable = true;
    url = "https://github.com/myorg";
    tokenFile = "/etc/secrets/github-runner/myorg.token";
    extraPackages = [ pkgs.cachix ];
};

And then go to (make sure to replace myorg with the organization's name) https://github.com/organizations/myorg/settings/actions/runners and copy the token to /etc/secrets/github-runner/myorg.token.